b'December 2007\nReport No. EVAL-08-002\n\nThe FDIC\xe2\x80\x99s Telework Program\n\x0c                                                                                                                 Executive Summary\n                                                                                                             Report No. EVAL-08-002\n                                                                                                                      December 2007\n                                        The FDIC\xe2\x80\x99s Telework Program\n                                        Results of Evaluation\n\n                                        The FDIC has established a telework program that is consistent in most respects with applicable\n                                        federal standards and guidelines and recognized best practices. In that regard, the FDIC\xe2\x80\x99s\n                                        policies and program elements compare favorably to telework guidance of 13 other federal\nBackground and Purpose of               agencies we reviewed. In OPM\xe2\x80\x99s 2006 Federal Human Capital Survey, FDIC employees\nEvaluation                              reported an overall satisfaction rate of 56.6 percent with the Corporation\xe2\x80\x99s telework program\n                                        compared to a rate of 21.8 percent government-wide.\nSince October 2000, the Congress\nhas continued to express its desire     Reported participation in FDIC\xe2\x80\x99s telework program grew from 20 percent in 2001 to 47 percent\nfor federal agencies to create viable   in 2006. In 2005, following a more restrictive definition of telework that defined qualifying\ntelework programs through a             frequencies, the OPM calculated the FDIC\xe2\x80\x99s participation level to be at 4.56 percent in its 2006\nnumber of legislative actions.          Status of Telework in the Federal Government report to the Congress. Further, the report showed\nTelework programs allow                 that the FDIC\xe2\x80\x99s employee participation level ranked 59th among 77 federal agencies. The FDIC\nemployees with appropriate work         has its own views about gauging the success of its telework program, other than the level of\nprojects to work at home or in other    participation, such as employees being able to utilize partial-day telework to attend appointments\napproved work sites if they meet        or other non-work events in order to achieve a better work/life balance. Other issues bring into\ntelework program requirements and       question the reliability of the OPM statistics. For example, DOA noted that its time and\nobtain approval from their              attendance reporting system is not configured to capture the type of telework data that OPM\nsupervisors.                            requires and, as a result, the FDIC under-reported telework participation information to OPM.\n                                        Accordingly, it is unclear whether the FDIC has sufficiently reliable data to draw valid\nThe Office of Personnel                 conclusions regarding the extent of participation in its telework program. Finally, the FDIC\nManagement (OPM) and the                could better assess its program by conducting an evaluation of the program, consistent with\nGeneral Services Administration         corporate policy, and establishing measurable goals.\n(GSA) have joint leadership roles\nfor the government-wide telework        The FDIC also needs to clarify the role that telework plays in its business continuity and\ninitiative. The two agencies            pandemic event plans and policies, and conduct tests to evaluate the viability of telework\nprovide services and resources to       arrangements under both scenarios. The FDIC reported to the OPM that the majority of FDIC\nsupport and encourage telework,         employees are fully capable of sustaining operations while teleworking. However, the FDIC\nincluding issuing guidance to           needs to do more to ensure that during an emergency, the Corporation would be fully functional\nagencies in developing their            within the time frames prescribed by FEMA, or should a pandemic event occur, the Corporation\nprograms and procedures. In doing       has the ability to maintain uninterrupted operations for an extended period.\nso, the OPM has incorporated\nFederal Emergency Management            The FDIC received an award in 2006 for its innovative use of technology to support\nAgency (FEMA) guidance for both         employees who teleworked. Further, the Corporation has issued extensive guidance on\ncontinuity of operations and            protecting sensitive information and implemented controls to address OMB and GSA\npandemic preparedness.                  information security requirements associated with teleworking. Most notably, the FDIC\n                                        requires two-factor authentication for user identification, and remote network sessions are\nIn May 2001, the FDIC introduced        encrypted. However, the FDIC needs to complete initiatives that will provide greater\na Telework Pilot Program to give        assurance that sensitive electronic information--stored on removable media and Personal\nemployees greater work/life             Digital Assistant devices often used for teleworking--is safeguarded from unauthorized\nflexibility while continuing to meet    disclosure. The FDIC could also take steps to further protect data from unauthorized access\nthe Corporation\'s mission. The          during telework sessions on non-FDIC computers.\nFDIC\xe2\x80\x99s telework program became\npermanent in May 2003.                  Finally, our report discusses two other matters for management\xe2\x80\x99s information and\n                                        consideration\xe2\x80\x94the FDIC\xe2\x80\x99s progress in developing and implementing a Pandemic Influenza\nOur evaluation objective was to         Preparedness Plan and an opportunity for the FDIC to improve the efficiency of its\nassess the extent to which the          administration of telework forms.\nCorporation has established and\nimplemented a telework program that     Recommendations: We made recommendations to improve the quality and reliability of\nis consistent with applicable federal   telework participation data; conduct an evaluation to determine whether the FDIC\xe2\x80\x99s\nstandards and guidelines and            telework program is meeting management\xe2\x80\x99s expectations; ensure that teleworkers are\nrecognized best practices.              prepared and supported during emergency situations and pandemic events; further enhance\n                                        security over data used when teleworking; and improve the efficiency of telework forms.\nTo view the full report, go to          Management concurred or partially concurred with eight of our nine recommendations and\nwww.fdicig.gov/2008report.asp           offered a reasonable explanation for disagreeing with the remaining recommendation.\n\x0c                             Table of Contents\n                                                                          Page\nEVALUATION OBJECTIVE AND APPROACH                                            1\n\nBACKGROUND                                                                   2\n\nEVALUATION RESULTS                                                           4\n\n      Employee Participation in the FDIC\xe2\x80\x99s Telework Program                  5\n\n      Evaluation of the Telework Program                                     8\n\n      Incorporating Telework Into Business Continuity and Pandemic          10\n      Preparedness\n\n      Security Control Requirements for Telework                            14\n\nOTHER MATTERS                                                               20\n\n      Influenza Pandemic Preparedness Planning                              20\n\n      Submission of Telework Agreements and Home Safety Self-               21\n      Certifications\n\nCorporation Comments and OIG Evaluation                                     23\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                               25\n\nAPPENDIX II: Corporation Comments                                           28\nAPPENDIX III: Management Response to Recommendations                        34\n\nTABLES\n\n      Table 1: 2006 Corporation-Wide Participation in the FDIC\xe2\x80\x99s             6\n      Telework Program by Grade\n\n      Table 2: Time-out Function Test Results                               17\n\nFIGURES\n\n      Figure 1: 2006 Headquarters Participation in the Telework Program      6\n\n\n\n\n                                       i\n\x0c           ACRONYM LIST\n\nAIS    Automated Information Systems\nBCP    Business Continuity Plan\nCBA    Collective Bargaining Agreement\nCOOP   Continuity of Operations\nCU     Corporate University\nDIR    Division of Insurance and Research\nDIT    Division of Information Technology\nDOA    Division of Administration\nDOF    Division of Finance\nDRR    Division of Resolutions and Receiverships\nDSC    Division of Supervision and Consumer Protection\nEEP    Enterprise Encryption Project\nEIM    Enterprise Information Management\nERT    Emergency Response Team\nFEMA   Federal Emergency Management Agency\nFMR    Federal Management Regulations\nFPC    Federal Preparedness Circular\nGSA    General Services Administration\nIT     Information Technology\nNTEU   National Treasury Employees Union\nOCFO   Office of Chief Financial Officer\nODEO   Office of Diversity and Economic Opportunity\nOERM   Office of Enterprise Risk Management\nOIA    Office of International Affairs\nOIG    Office of Inspector General\nOMB    Office of Management and Budget\nOO     Office of the Ombudsman\nOPA    Office of Public Affairs\nOPM    Office of Personnel Management\nPDA    Personal Digital Assistant\nPIPP   Pandemic Influenza Preparedness Plan\nRCN    Remote Computing Network\nUSB    Universal Serial Bus\n\n\n\n\n                    ii\n\x0cFederal Deposit Insurance Corporation                                                          Office of Evaluations\n3501 Fairfax Drive, Arlington, VA 22226                                                 Office of Inspector General\n\n\n\nDATE:                                     December 6, 2007\n\nMEMORANDUM TO:                            Arleas Upton Kea\n                                          Director, Division of Administration\n\n                                          Michael E. Bartell\n                                          Chief Information Officer and Director,\n                                          Division of Information Technology\n\n\n                                          [Signed]\nFROM:                                     Stephen M. Beard\n                                          Assistant Inspector General for Evaluations and Management\n\n\nSUBJECT:                                  The FDIC\xe2\x80\x99s Telework Program\n                                          (Report No. EVAL-08-002)\n\n\nThis report presents the results of our subject evaluation. Telework, also referred to as\ntelecommuting or flexiplace, has gained widespread attention over the past decade in both the\npublic and private sectors as a human capital flexibility that offers a variety of potential benefits\nto employers, employees, and society. The term telework refers to work that is performed at an\nemployee\xe2\x80\x99s home or at a work location other than a traditional office. Congress and the\nexecutive branch have shown interest in telework, primarily based upon the belief that its use\nwill benefit the federal government. Benefits of telework include reducing traffic congestion and\npollution, improving recruitment and retention of employees, increasing productivity, and\nreducing the need for office space. Employees also can realize benefits from teleworking,\nincluding reduced commuting time; lowered costs in areas such as transportation, parking, food,\nand wardrobe; removal of barriers for those with disabilities who want to be part of the\nworkforce; and improvement in the quality of work life and morale accruing from the\nopportunity to better balance work and family demands.\n\n\nEVALUATION OBJECTIVE AND APPROACH\nOur objective was to assess the extent to which the Corporation has established and implemented\na telework program that is consistent with applicable federal standards and guidelines and\nrecognized best practices.\n\x0cTo accomplish our objective, we:\n\n\xe2\x80\xa2   Evaluated relevant FDIC policy and program elements against applicable government-wide\n    guidance and recognized best practices,\n\xe2\x80\xa2   Interviewed program officials about the status of the telework program,\n\xe2\x80\xa2   Verified that the FDIC complied with the Office of Personnel Management (OPM) telework\n    reporting requirements,\n\xe2\x80\xa2   Performed analysis of telework participation information to identify trends and usage among\n    divisions and offices,\n\xe2\x80\xa2   Evaluated the efficiency of the FDIC\xe2\x80\x99s administration of the telework program, and\n\xe2\x80\xa2   Assessed the FDIC\xe2\x80\x99s guidance and efforts to ensure adequate security over information used\n    by employees when teleworking.\n\nWe also engaged the accounting firm of KPMG, LLP (KPMG) to assess the FDIC\xe2\x80\x99s guidance\nand efforts to ensure adequate security over information that is processed, stored, and transmitted\nwhile teleworking. KPMG\xe2\x80\x99s engagement primarily involved:\n\n\xe2\x80\xa2   Evaluating the FDIC\xe2\x80\x99s four methods of remote access,\n\xe2\x80\xa2   Interviewing program officials about the status of initiatives intended to automate encryption\n    of sensitive information stored on mobile computers and devices,\n\xe2\x80\xa2   Verifying that the time-out function for remote access methods functioned properly, and\n\xe2\x80\xa2   Assessing the FDIC\xe2\x80\x99s progress in logging data extractions and erasing them when no longer\n    needed.\n\nAppendix I describes in detail the objective, scope, and methodology of this evaluation.\n\n\nBACKGROUND\nThrough a number of legislative actions, Congress has indicated its desire that federal agencies:\ncreate telework programs that establish program leadership; think broadly in setting eligibility\nrequirements; allow employees, if eligible, 1 to participate in telework; and track and report\ntelework program results. The most significant congressional action related to telework was the\nOctober 2000 enactment of Section 359 of Public Law No.106-346, which mandates that each\nexecutive branch agency establish a policy under which eligible employees may participate in\ntelework to the maximum extent possible without diminishing employee performance. The\nlegislation also requires agencies to designate telework coordinators who are responsible for\noverseeing the implementation of telework programs and serving as points of contact.\n\nThe legislative framework also assigns responsibility for leading the government-wide telework\ninitiative to the OPM and the General Services Administration (GSA). Jointly, OPM and GSA\nmanage a federal Web site 2 for telework, which is designed to provide access for employees,\nmanagers, and telework coordinators to a range of information related to telework, including\n\n1\n  An eligible employee is any satisfactorily performing employee of the agency whose job may typically be\nperformed at least one day per week by teleworking.\n2\n  The joint Web site can be found at www.telework.gov.\n\n                                                        2\n\x0cannouncements, guides, laws, and available training. OPM has primarily provided expertise in\nhuman resources issues and, in that regard, published A Guide to Telework in the Federal\nGovernment, dated August 2006, to guide implementation of the program. OPM has also\ndetermined that telework is an essential element in continuity of operations and pandemic 3\npreparedness and incorporated Federal Emergency Management Agency (FEMA) guidance into\nits guide. GSA has generally addressed technical, equipment, and telework center issues and\nissued Federal Management Regulations (FMR) Bulletin 2007-B1 entitled, Information\nTechnology and Telecommunication Guidelines for Federal Telework and Other Alternative\nWorkplace Arrangement Programs, dated March 2007.\n\nWith regard to technical issues, the Office of Management and Budget (OMB) issued\nMemorandum M-06-16, dated June 23, 2006, to the heads of federal departments and agencies\nentitled, Protection of Sensitive Agency Information. OMB issued the memorandum in response\nto several data security breaches. The memorandum recommends that the departments and\nagencies implement a series of controls for safeguarding the remote access, transport, and\nstorage of sensitive information. Effective implementation of these controls becomes\nparticularly important to ensuring adequate information security as the Congress encourages\ngreater participation in telework programs.\n\nConsistent with its legislative mandate to track and report on the status of telework programs, the\nOPM requests telework data from all federal agencies by way of an Annual Telework Survey.\nJointly, OPM and GSA use the information to provide a yearly snapshot of the federal\ngovernment telework initiative that is published in an annual report to the Congress entitled, The\nStatus of Telework in the Federal Government (Annual Telework Status Report).\n\nIn its A Guide to Telework in the Federal Government, OPM defined telework as any\narrangement in which an employee regularly performs officially assigned duties at home or at\nanother work site geographically convenient to the residence of the employee. In 2005, OPM\nand GSA established a more restrictive definition of telework that defined qualifying frequencies\nof at least 3 days a week, 1-2 days a week, or at least once per month. Previously, even if an\nemployee teleworked less than once a month, the employee was included in the number of\nteleworkers reported to Congress. The 2005 Annual Telework Status Report indicated that\n1.3 million of the 1.8 million federal employees in 78 Federal agencies were eligible to telework.\nOf the 1.3 million eligible employees, 119,248 or 9.51 percent, employees actually teleworked.\n\nIn May 2001, the FDIC introduced a Telework Pilot Program to give employees greater\nwork/life flexibility while continuing to meet the Corporation\'s mission. In May 2003, the\nCorporation established a permanent program that allows for participation based on the specific\nnature and content of the work to be performed rather than on position, grade, or work schedule.\n\nFDIC Circular 2121.1, dated May 16, 2003, entitled, FDIC Telework Program, provides the\npolicy, program guidelines, general provisions, and responsibilities associated with the telework\nprogram. The FDIC\xe2\x80\x99s WorkLife Program Manager, who is part of the Division of\n\n\n3\n  Pandemic influenza is a global outbreak of disease that occurs when a new influenza virus appears or \xe2\x80\x9cemerges\xe2\x80\x9d in\nthe human population, causes serious illness, and spreads easily from person to person worldwide.\n\n                                                         3\n\x0cAdministration\xe2\x80\x99s (DOA) Human Resources Branch, is designated as the Telework Coordinator\nand is responsible for providing management advisory services related to the telework program.\n\n\nEVALUATION RESULTS\nThe FDIC has established a telework program that offers a means of supporting the\nCorporation\xe2\x80\x99s goal of enhanced employee flexibility and improved work/life balance, provided\nthat the efficiency of the FDIC and its mission are not adversely impacted. The FDIC\xe2\x80\x99s program\nis generally consistent with OPM\xe2\x80\x99s A Guide to Telework in the Federal Government as it relates\nto:\n\n\xe2\x80\xa2   Appointing a telework coordinator;\n\xe2\x80\xa2   Establishing telework policy, including determining eligibility, delineating responsibilities of\n    managers and employees, creating and managing signed telework agreements, documenting\n    denials, and applying uniform performance practices;\n\xe2\x80\xa2   Establishing policies on information systems and technology security;\n\xe2\x80\xa2   Establishing guidelines for equipment and support to be provided to teleworkers; and\n\xe2\x80\xa2   Providing, to a limited extent, telework training.\n\nFurther, in 2003, the FDIC established the Examiner\'s Option program wherein eligible\nexaminers are permitted to work out of their homes or at approved alternative work sites when\nnot working at an insured depository institution or at another required site. Under this program,\nthe FDIC provides the employee with a one-time maximum reimbursement of up to $500 for\ncosts associated with equipment not otherwise provided by the Corporation, and an annual\nreimbursement of up to $480 for costs associated with multiple telephone lines and/or high speed\ndata transmission access.\n\nIn the 2006 Federal Human Capital Survey, conducted by OPM, FDIC employees reported an\noverall satisfaction rate with the Corporation\xe2\x80\x99s telework program of 56.6 percent compared to\n21.8 percent government-wide.\n\nFinally, in 2006, the FDIC received an award from the Telework Exchange, a public-private\npartnership focused on eliminating telework gridlock, for the Corporation\xe2\x80\x99s innovative use of\ntechnology to support employees who teleworked. The award was based primarily on the fact\nthat the FDIC provides a variety of remote access services to support its telecommuting and\nmobile users and an access control method that enables virtually every eligible FDIC employee\nwith access to a computer to participate in the FDIC\xe2\x80\x99s telework program.\n\n\n\n\n                                                 4\n\x0cEMPLOYEE PARTICIPATION IN THE FDIC\xe2\x80\x99S TELEWORK PROGRAM\n\nIn 2004, the FDIC reported that 43.1 percent of its employees had teleworked. However, in\n2005, following the establishment of a more restrictive definition of telework, OPM calculated\nthe FDIC\xe2\x80\x99s participation at 4.56 percent in its Annual Telework Status Report. 4 For 2006, based\non the statistics submitted to the OPM, we calculated an increase in participation to 5.16 percent.\nAccording to OPM\xe2\x80\x99s 2007 Annual Telework Status Report, the FDIC\xe2\x80\x99s participation level ranks\nrelatively low among other federal agencies. Specifically, we compared the FDIC\xe2\x80\x99s standing\nwith 77 other federal agencies that reported telework participation to OPM in 2005. Our analysis\nshowed that the FDIC\xe2\x80\x99s participation level of 4.56 percent was among the bottom 25 percent of\nthose agencies.\n\nWe also analyzed the impact that the more restrictive definition had on other agencies. We\ndetermined that 46 of the 67 agencies that reported telework statistics in both 2004 and 2005 had\ndecreases in telework participation while the remaining 21 had increased participation. For\nagencies with employee populations under 20,000, the change in reported participation ranged\nfrom an increase of 3.42 percent at the Department of Housing and Urban Development to a\ndecrease of 54.4 percent at OPM.\n\nFDIC Employees Participating in Telework\n\nWe conducted analyses to gain additional insights into the extent of employee participation in the\nFDIC\xe2\x80\x99s telework program. For example, using the statistics that the FDIC provided to OPM, we\ndetermined that 47 percent of all FDIC employees participated in telework to some degree in\n2006 and that the extent of participation varied by grade-level categories. (See Table 1 on the\nnext page.)\n\n\n\n\n4\n  Recognizing the impact the new definition would have on the government\xe2\x80\x99s telework statistics, in its 2006 Report\nto the Congress, the OPM cautioned that comparison to past years\xe2\x80\x99 data is not meaningful. The new definitions have\nnarrowed the definition of \xe2\x80\x9cteleworker,\xe2\x80\x9d requiring a reasonable frequency of teleworking more in line with\nprogrammatic needs. The OPM further noted that the definition change contributed to the government-wide\ndecrease in the number of teleworkers reported from 140,694 in 2004 to 119,248 in 2005.\n\n                                                        5\n\x0cTable 1: 2006 Corporation-Wide Participation in the FDIC\xe2\x80\x99s Telework\nProgram by Grade\n\n  Employee Grade                     FDIC              Teleworkers Report                Percent of FDIC\n      Level                        Employees            in OPM Survey*                     Employees\n                                                                                          Participating\n 1 through 4                                     84                              3                    3.57%\n 5 through 12                                 2,158                          1,035                   47.96%\n 13 through 15                                1,745                            878                   50.32%\n CM-1 through 2                                 486                            206                   42.39%\n EM                                              93                             24                   25.81%\n Totals                                       4,566                          2,146                   47.00%\nSource: OIG Analysis of the FDIC\xe2\x80\x99s Response to OPM\xe2\x80\x99s 2006 Annual Survey and DOA Demographics\nStatistics.\n*The accuracy of the time reported in the CHRIS T&A System assumes that those who teleworked accurately\ncoded their time as \xe2\x80\x9ctelework\xe2\x80\x9d during each pay period.\n\nWe also determined that, based on the source data provided to OPM, 440 of 1,747, or 25\npercent, of all eligible headquarters employees participated in the telework program in 2006.\nFigure 1 below provides a breakdown of the participation by headquarters activity.\n\nFigure 1: 2006 Headquarters Participation in the Telework Program\n\n\n    300\n\n\n    250\n\n\n    200\n\n\n    150\n\n\n    100\n                                              30%   40%               22%\n                                32% 25%                                     18%                49%\n      50\n                11%                                                                     46%\n                       100%                                9%                     33%                20%    10%\n       0\n                                     T\n\n\n\n\n                                                                                          IG\n                                                       R\n                            R\n\n\n\n\n                                                F\n\n\n\n\n                                                                            l\n                                                                  C\n                                          A\n\n\n\n\n                                                                          FO\n\n\n\n\n                                                                                                 O\n                  IA\n\n\n\n\n                                                                         EO\n           CU\n\n\n\n\n                                                                                                       PA\n                                                                          ga\n                                  DI\n\n\n\n\n                                               DO\n\n\n                                                      DR\n                         DI\n\n\n\n\n                                         DO\n\n\n\n\n                                                               DS\n\n\n\n\n                                                                                                O\n                 O\n\n\n\n\n                                                                                         O\n                                                                       Le\n\n\n                                                                        C\n\n\n\n\n                                                                                                      O\n                                                                       D\n                                                                      O\n\n                                                                      O\n\n\n\n\n                                Headquarters Population          Total Number of Teleworkers\n\n\nSource: OIG Analysis of 2006 Telework Statistics provided by DOA. OERM participation was not\naddressed in the statistics.\n\n\n\n                                                           6\n\x0cDOA noted that beyond the OPM participation level criteria, DOA also has its own views about\nthe success of its telework program, such as employees being able to practice partial day\ntelework to attend medical appointments or other non-work events in order to achieve a better\nwork life balance. While such telework events may not meet the OPM criteria, DOA believes\nthey are important in gauging the success of the Corporation\'s telework program.\n\nReliability of the Telework Statistics\n\nSeveral issues bring into question the reliability of the telework statistics that were reported to\nOPM, and the FDIC\xe2\x80\x99s participation levels and ranking must be viewed in the context of these\nissues.\n\n\xe2\x80\xa2   When OPM redefined telework in 2005, OPM was not clear regarding what constituted a\n    \xe2\x80\x9cday\xe2\x80\x9d of teleworking. According to OPM, neither OPM nor anyone else has defined what\n    constitutes a \xe2\x80\x9cday\xe2\x80\x9d of telework and OPM has received questions on the definition from\n    various agency representatives. As a result, agency reporting of telework participation is\n    likely to be inconsistent.\n\n\xe2\x80\xa2   When the FDIC provided telework statistics to OPM in 2005 and 2006 regarding the number\n    of employees who teleworked on a regular, recurring basis, the Corporation only included\n    examiners who were participating in the previously discussed Examiner Option program as\n    teleworkers. The Corporation did so because it determined that these examiners best fit\n    OPM\xe2\x80\x99s new telework definition and because CHRIS T&A was not configured to capture the\n    type of telework data that OPM requires. DOA representatives stated that as a result, FDIC\n    under-represented telework participation levels to OPM.\n\n\xe2\x80\xa2   The FDIC relies on the CHRIS T&A system to determine telework participation. Employees\n    must select one of the 12 \xe2\x80\x9ctelework\xe2\x80\x9d transaction codes when coding their time and attendance\n    in order to be counted as teleworking. The FDIC lacks assurance that employees are coding\n    their time and attendance in such a manner; thus, the Corporation may be underreporting the\n    number of employees actually teleworking.\n\nConclusion\n\nAt first glance, the FDIC\xe2\x80\x99s reported levels of participation should be of concern to management\nas the Corporation should be following the lead of the Congress and Executive Branch in\npromoting and increasing telework in the federal government. Further, the FDIC may be missing\nopportunities to improve the quality of work life and morale of its employees. However, it is\nunclear whether the Corporation has sufficiently reliable data to draw valid conclusions\nregarding the extent to which employees are participating in its telework program. Statistics\nsubmitted are being included in a statutorily-required report to the Congress and do get attention\nfrom its members, other federal agencies, and the public.\n\n\n\n\n                                                  7\n\x0cRecommendation\n\nWe recommend that the Director, Division of Administration:\n\n    1. Take steps to improve the quality and reliability of data collected for the purposes of\n       determining the extent of telework participation by FDIC employees.\n\n\nEVALUATION OF THE TELEWORK PROGRAM\n\nThe FDIC could do more to evaluate the success and status of its telework program to ensure the\nprogram is meeting management\xe2\x80\x99s expectations. In this regard, neither the WorkLife Program\nManager nor any of the nine divisions and offices we included in our review has conducted an\nevaluation of the telework program. 5 Instead, the FDIC has principally relied on time charges in\nthe FDIC\xe2\x80\x99s time and attendance system as a gauge of the telework program\xe2\x80\x99s success. Prior to\nOPM\xe2\x80\x99s 2005 revised definition of telework, the FDIC\xe2\x80\x99s statistics showed the number of\nemployees teleworking was approaching 50 percent. This figure was based on any time charged\nas telework by an employee in the CHRIS T&A system regardless of the number of hours\nworked. With such a high percentage of participation, management apparently determined there\nwas not a need to perform a program evaluation.\n\nCircular 2121.1, Section 10, Evaluation, states that to adequately assess the impact and success\nof the telework program, both employees and managers or supervisors are expected to participate\nin the evaluation. The evaluation may include the collection of both quantitative and qualitative\ndata (including participation rates, office space needs, and other issues impacted by program use)\nrequiring the completion of surveys or responses to interview questions. The Circular does not\nclearly address who should lead or conduct the evaluations or the required frequency.\n\nDOA officials advised us that they were not aware of an overall evaluation of the program since\nit became permanent in 2003. Further, none of the nine divisions and offices we included in our\nreview has conducted evaluations of their administration of the telework program. Division of\nInsurance and Research officials told us although they have not performed a formal evaluation,\ntheir senior management periodically discusses the division\'s stance on telework, how it is\nadministered, and the fairness of its application. Division of Finance (DOF) management\nindicated they are working with representatives from DOA to gather statistics on DOF\xe2\x80\x99s\nparticipation in the telework program and to conduct a survey of their employees.\n\nFinally, the FDIC has not established measurable telework program goals. Such goals can be\nused in conducting program evaluations for telework in such areas as productivity, operating\ncosts, employee morale, recruitment, and retention.\n\nWithout a comprehensive program evaluation and measurable goals, it is difficult to assess\nwhether the Corporation\xe2\x80\x99s telework participation meets management\xe2\x80\x99s expectations and is\n\n5\n The nine divisions and offices included the Office of Enterprise Risk Management (OERM), Corporate University\n(CU), Division of Insurance and Research (DIR), Division of Information Technology (DIT), DOA, Division of\nFinance (DOF), Division of Resolutions and Receiverships (DRR), Division of Supervision and Consumer\nProtection (DSC), and the Legal Division.\n\n                                                      8\n\x0creasonable considering the various factors that can impact the extent of telework at the FDIC. In\nconducting such an evaluation, the FDIC should address the following areas.\n\nLeadership Attention\n\nOn June 12, 2007, the Government Accountability Office testified before the Subcommittee on\nOversight of Government Management, the Federal Workforce, and the District of Columbia,\nCommittee on Homeland Security and Governmental Affairs, U.S. Senate, (GAO-07-1002T), that\nthe Telework Enhancement Act of 2007, S.1000, recognizes the importance of leadership in\npromoting an agency\xe2\x80\x99s telework program by requiring the appointment of a senior-level\nmanagement official to perform several functions to promote and enhance telework\nopportunities. There is no consensus at this time regarding the specific duties of such an\nindividual in relation to the duties of the agency officials currently designated as telework\ncoordinators.\n\nAt the FDIC, oversight of the telework program has been made a part of the duties assigned to\nthe WorkLife Program Manager. The WorkLife Program Manager also has responsibility for\nproviding management advisory services relating to alternative work schedules, leave, dependent\ncare, employee assistance, and other programs. In addition, the WorkLife Program Manager\ncould be assigned to assist in issues related to classification and compensation, staffing and\nplacement, and human resources development. The FDIC\xe2\x80\x99s approach to leadership of the\nprogram \xe2\x80\x94a mid-level manager devoted part-time\xe2\x80\x94may fall short of what is being\ncontemplated in the pending legislation discussed previously and may need to be revisited.\n\nPublicity and Training\n\nWe met with the WorkLife Program Manager to gain an understanding of recent efforts to\npromote and provide training on the telework program. The following examples were provided:\n\n\xe2\x80\xa2   DOA presented a program on telework in October 2006,\n\xe2\x80\xa2   New employee and Corporate Employee Program orientations address telework,\n\xe2\x80\xa2   Presentations are made at DSC regional conferences and other division conferences, and\n\xe2\x80\xa2   Presentations at certain WorkLife Program seminars include telework information when\n    appropriate.\n\nOPM guidance, as well as telework literature and guidelines, states that informing employees\nand managers of the program and publicizing it are key telework practices for implementation of\nsuccessful federal telework programs. Training and information on the following aspects of\ntelework may be beneficial to FDIC employees:\n\n\xe2\x80\xa2   Types of assignments and circumstances that are suitable for teleworking,\n\xe2\x80\xa2   Coding of time and attendance data,\n\xe2\x80\xa2   The types of information that would be appropriate for teleworkers to be handling and how\n    sensitive information should be protected when teleworking,\n\xe2\x80\xa2   Home safety and technology considerations, and\n\xe2\x80\xa2   The role that telework plays in continuity of operations (as discussed later in this report).\n\n\n\n                                                 9\n\x0cConclusion\n\nThere is continuing Congressional interest to expand teleworking in the federal government, and\nthe FDIC\xe2\x80\x99s policy encourages use of the telework program for those projects/duties that are well-\nsuited for completion at an alternative work site. Therefore, the FDIC should assess whether its\nprogram and participation level meet corporate expectations and are reasonable considering the\nvarious factors that can impact the extent of telework at the FDIC.\n\nRecommendation\n\nWe recommend that the Director, Division of Administration:\n\n   2. Conduct an evaluation consistent with Circular 2121.1 to determine whether the FDIC\xe2\x80\x99s\n      telework program is meeting management\xe2\x80\x99s expectations and desired outcomes. The\n      evaluation could address, among other things:\n\n       \xe2\x80\xa2   Whether goals and objectives exist against which the success and impact of the\n           program can be measured,\n       \xe2\x80\xa2   Fairness and consistency across the Corporation in how managers are administering\n           the program,\n       \xe2\x80\xa2   Sufficiency of leadership and management attention, and\n       \xe2\x80\xa2   Extent of promotion, publicity, and training.\n\n\nINCORPORATING TELEWORK INTO BUSINESS CONTINUITY AND PANDEMIC\nPREPAREDNESS\n\nTelework is a key component of being prepared for and continuing operations during emergency\nsituations. The FDIC could more fully and expressly incorporate telework into its business\ncontinuity planning and pandemic preparedness efforts. Doing so would provide the FDIC with\ngreater assurance that its employees and infrastructure can maintain uninterrupted operations or\nbe fully functional within the time frames prescribed by FEMA in the event of an emergency or\npandemic event.\n\nEmergency Preparedness Guidance\n\nThe FEMA\xe2\x80\x99s Federal Preparedness Circular (FPC) 65, Section 9. Planning Requirements for\nViable Coop Capability, revised as of June 15, 2004, is applicable to all Federal Executive\nBranch departments, agencies, and independent organizations. FPC 65 defines Continuity of\nOperations (COOP) planning as an effort to ensure that the capability exists to continue essential\nagency functions across a wide range of hazard emergencies. COOP capability is intended to be\nshort-term; it must be functional within 12 hours and may last up to 30 days.\n\nSection 9 further states that the COOP must include regularly scheduled testing, training, and\nexercising of agency personnel, equipment, systems, processes, and procedures used to support\nthe agency during a COOP event. Section 10, Elements of a Viable Coop Plan, states that tests\nand exercises serve to assess, validate, or identify for a subsequent corrective action program,\n\n                                                10\n\x0cspecific aspects of COOP plans, policies, procedures, systems, and facilities used in response to\nan emergency situation. Training familiarizes COOP personnel with the procedures and tasks\nthey must perform in executing COOP plans.\n\nThe OPM incorporates portions of FPC 65 guidance into its A Guide to Telework in the Federal\nGovernment, which states that telework should be part of all agency emergency planning and\nthat management must be committed to implementing remote work arrangements as broadly as\npossible to take full advantage of the potential of telework to ensure that:\n\n       h Equipment, technology, and technical support have been tested.\n       h Employees are comfortable with technology and communications methods.\n       h Managers are comfortable managing a distributed workgroup.\n       h Expectations are communicated both to the Emergency Response Team (ERT) and\n         non-ERT employees regarding what steps they need to take in case of an emergency.\n       h Business Continuity Plan (BCP) expectations are integrated into telework agreements\n         as appropriate.\n       h Essential personnel who might telework in case of an emergency are allowed to\n         telework regularly to ensure functionality.\n\nThe section of the OPM Guide entitled, Practice, Practice, Practice, states that the success of an\norganization\xe2\x80\x99s telework program depends on regular, routine use. Experience is the only way to\nenable managers, employees, IT support, and other stakeholders to work through any technology,\nequipment, communications, workflow, and associated issues that may inhibit the transparency\nof remote work. The OPM Guide concludes that individuals expected to telework in an\nemergency situation should, with some frequency, telework under non-emergency\ncircumstances.\n\nBusiness Continuity Plans, Pandemic Influenza Preparedness Plan, and Telework\nAgreements\n\nThe FDIC stated in its report to OPM in the 2006 Call for Telework Data that telework has been\nfully integrated into its emergency preparedness/COOP plans. However, neither the\nWashington, D.C., area\xe2\x80\x99s 2006 BCP, dated January 2007, nor the divisional BCPs contain\nreferences to telework, although some divisions require their staff to remain at home during\nemergency situations. We discussed the need to incorporate telework in the BCPs with the\nFDIC\xe2\x80\x99s Assistant Director, Security Management Section. The Assistant Director agreed that\ntelework is not specifically mentioned in the BCPs but stated that Corporation employees\nunderstand that telework will be the means they use to continue or resume operations.\n\nWith regard to pandemic preparedness, the Assistant Director confirmed that telework is the\ncornerstone of the FDIC\xe2\x80\x99s pandemic plan but added that there are many telework-related issues\nthat must be addressed before the Pandemic Influenza Preparedness Plan (PIPP) is completed\nand implemented. We discuss the FDIC\xe2\x80\x99s progress in completing a pandemic preparedness plan\nlater in this report under the section entitled, \xe2\x80\x9cOther Matters.\xe2\x80\x9d\n\n\n\n\n                                                11\n\x0cFinally, we noted that Form 2121/05, Employee/Supervisor Telework Agreement, does not\nspecifically address the Corporation\xe2\x80\x99s expectation that telework will be a key component of\nemployees continuing or resuming operations.\n\nTraining\n\nAs discussed earlier in our report, the FDIC\xe2\x80\x99s telework training has concentrated on the benefits\nderived from teleworking and has not addressed telework in the context of continuity of business\noperations. None of the training provides hands-on experience that ensures an employee is\ncapable of teleworking from a remote site. Further, the FDIC\xe2\x80\x99s Corporate University (CU) does\nnot offer technical telework training specifically designed for FDIC employees. DOA should\ncoordinate with CU to ensure that telework training addresses the role that telework plays in\nmaintaining continuity of operations as discussed in recommendation 2.\n\nFDIC Employees Equipped to Telework\n\nIn 2005, the FDIC reported to the OPM that 3,784 of its 4,515 employees that were eligible to\ntelework were equipped, trained, and ready to telework in the case of a long-term crisis. 6 In\n2006, the FDIC reported that 4,570 employees were eligible and 4,435 were prepared to\ntelework. These statistics represented all employees that had received a SafeWord\xc2\xae\nauthenticator token. While the number of tokens issued was a valid indicator of the FDIC\xe2\x80\x99s\nprogress toward preparing its employees to telework, it was not necessarily representative of the\nactual number of employees who successfully participated in the telework program.\n\nOn our behalf, DOA researched this issue and found that from July 1 through August 31, 2007,\n3,414 unique user accounts, or 77 percent of all user accounts, were used to access the FDIC\nnetwork through one or more of the remote access systems. By refining the list, the Division of\nInformation Technology (DIT) determined that there were 822 headquarters accounts and 2,592\nregional/field office accounts on the list of remote access users for this period. The high number\nof field accounts (86 percent of all field accounts) was expected because examiners generally use\nremote access methods to obtain access to the FDIC\xe2\x80\x99s network. With regard to the headquarters\naccounts, 822 accounts represent 53 percent of headquarters accounts.\n\nTelework Tests\n\nThe FDIC\xe2\x80\x99s employees have not been required to practice telework under simulated emergency\nconditions. The Assistant Director, Security Management Section, confirmed that the FDIC has\nnot conducted practice tests of the emergency operations. In October 2006, the FDIC sponsored\na Corporate Telework Week. Employees were encouraged to telework, at a minimum, one day\nduring that week. The number of teleworkers was measured through the FDIC Time and\nAttendance system. During this event 870 FDIC employees teleworked, making this period of\nparticipation the highest for all of 2006.\n\n\n\n\n6\n  In a subsequent section of this report, we discuss concerns with the training and readiness of employees for\nteleworking in a crisis.\n\n                                                         12\n\x0cAccording to KPMG, DIT has asserted that the FDIC has a fully redundant remote access\nsolution that is able to support all FDIC employees. Specifically, DIT has deployed a Remote\nComputing Network (RCN) solution for its primary back-up site \xe2\x80\x93 the Richmond Data Center \xe2\x80\x93\nwith a software configuration that is nearly identical to the one used on a regular basis at\nVirginia Square. DIT also asserted that the Richmond Data Center RCN solution is capable of\nsupporting 5,000 users. However, this assertion is based upon the technical designs of the RCN\nsolution created during the 2003 or 2004 time frame. KPMG indicated that actual testing of\n5,000 concurrent sessions should be conducted to ensure that the original RCN architecture\nremains capable of supporting such a large number of concurrent users with the addition of new\napplications and newer versions of Microsoft Office.\n\nDIT acknowledged that the capacity of its remote access network had not been stress tested with\nremote workers but stated that in the event of a major business interruption that impacted\nmultiple federal agencies, the true "Achilles heel" of agency business continuity planning would\nbe the ability of the local telecommunications infrastructure to handle increased activity from\nthousands of remote workers. While this may be true, we believe there is merit in stress testing\nthe FDIC\'s remote access network and verifying FDIC employees\' technical ability to connect to\nthe FDIC network remotely. Such a test could be as simple as requiring all, or a large number of,\nFDIC headquarters employees to work from home on a particular day and attempt to remotely\nlog on to FDIC\'s network at a particular time.\n\nConclusion\n\nThe FDIC recognizes that telework is a key component to resuming or continuing operations in\nthe event of an emergency or pandemic event and has taken some steps to ensure that its\nemployees are sufficiently prepared and its technology solution is adequately designed to that\nend. However, consistent with OPM and FEMA guidance, the Corporation would benefit from\ntaking further action to communicate and integrate telework into its business continuity and\npandemic preparedness planning, ensure managers and employees are comfortable with telework\narrangements, and validate that its technology solution works under simulated emergency\ncircumstances.\n\nRecommendations\n\nWe recommend the Director, Division of Administration:\n\n   3. Revise the FDIC BCPs and pandemic preparedness plans to more specifically describe\n      the role telework plays in those plans.\n\n   4. Identify personnel who would be expected to telework during an emergency and include\n      corporate expectations into their telework agreements.\n\n   5. Implement periodic testing of equipment, technology, and technical support associated\n      with large numbers of employees concurrently teleworking in an emergency situation and\n      require individuals expected to telework in an emergency situation to periodically\n      telework under non-emergency circumstances.\n\n\n\n                                               13\n\x0cSECURITY CONTROL REQUIREMENTS FOR TELEWORK\n\nKPMG evaluated the security controls for telework and found that the FDIC has implemented a\nnumber of controls and has an on-going effort to fully address all of the security requirements of\nOMB Memorandum M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006\n(M-06-16). The FDIC has met the two-factor authentication requirement for user identification,\nand remote network sessions are encrypted. Also, the FDIC specifically addresses the telework\nprogram and provides guidance on protecting sensitive information when teleworking in its\nAnnual Security Awareness Training that is required for all employees and contractors and has\nissued extensive guidance related to information security. However, work remains for the FDIC\nto complete its planned deployment of an enterprise-wide automated encryption solution for\nlaptops, removable Universal Serial Bus (USB) devices, and Personal Digital Assistantws (PDA)\nto provide increased assurance that sensitive data stored on such equipment and devices will be\nappropriately protected. Further, the FDIC could take additional steps to protect data from\nunauthorized access during telework sessions on non-FDIC computers.\n\nMethods for Teleworking\n\nThe FDIC provides four methods for remote users (e.g., teleworkers) to access the FDIC\nnetwork. These services include Ascend Dial-In, RCN, FastAccess, and WebVPN.\n\n       Ascend dial-in is available for use with FDIC laptops. The service provides dial-in\n       access to the FDIC network using standard analog telephone lines to connect via a local\n       access or national 800 number.\n\n       RCN is a secure, Web-based remote access system available for use with home\n       computers or FDIC laptops. Remote users access an FDIC secure gateway over the\n       Internet, log in, and establish a remote session with an RCN server running a limited set\n       of office applications.\n\n       FastAcess is a Web-based remote access service intended to provide mobile users basic\n       access to FDIC computing resources without having to install certificates or specialized\n       software.\n\n       Web/VPN is a secure remote access system intended to provide full network access to\n       employees using FDIC laptops. A VPN is a network that can provide remote offices or\n       individual users with secure access to an organization\'s network via the Internet.\n\nKey Security Controls Associated with Teleworking\n\nOMB Memorandum M-06-16 recommends the following security controls for safeguarding\ninformation removed from, or accessed from outside of agency locations: (1) encrypt all\nsensitive data on mobile computers and devices; (2) allow remote access only with two-factor\nauthentication; (3) use a \xe2\x80\x98\xe2\x80\x98time-out\xe2\x80\x99\xe2\x80\x99 function requiring user re-authentication after 30 minutes of\ninactivity for remote access and mobile devices; and (4) log all computer-readable data extracts\n\n\n\n                                                14\n\x0cfrom databases holding sensitive information and verify that each such extract has been erased\nwithin ninety 90 days or that its use is still required.\n\nData Encryption\n\nOMB M-06-16 recommends encryption of all data on mobile computers and devices that carry\nsensitive agency data. FDIC Circular 1360.9, Protecting Sensitive Information, dated April 30, 2007,\nrequires that sensitive information stored on end-user IT equipment (e.g., laptop and desktop\ncomputers) as well as on removable media (e.g., diskettes, CD/DVD, USB flash drives, external\nremovable hard drives) are to be encrypted. In addition, sensitive information should only be stored\non corporate IT equipment. The current data encryption methods (Entrust, PKZIP, and Microsoft\nEFS7) are manual.\n\nWhen employees telework and perform tasks using applications and data on the FDIC\xe2\x80\x99s laptops\nand network, the information is adequately protected regardless of which of the four available\naccess methods they use\xe2\x80\x94as long as the information remains within the network and is not\ndownloaded to a home computer or storage device. In addition, the FDIC is working on an\nautomated solution to ensure that sensitive information stored on mobile computers and devices\nis encrypted. In that regard, DIT initiated the Enterprise Encryption Project (EEP) in August\n2006 with separate phases for encryption of laptops, removable media, and PDA devices. In our\nOctober 11, 2007 draft report, we reported that:\n\n\xe2\x80\xa2   The FDIC had selected Pointsec as the tool to encrypt data on laptops and as of\n    September 20, 2007, DIT had installed encryption software on 2,500 of the approximately\n    3,800 agency laptops as part of Phase I of the EEP. The remaining laptops were scheduled to\n    be encrypted as part of the Corporate Laptop Replacement Project by October 19, 2007.\n\n\xe2\x80\xa2   The FDIC was in the inception stage of Phase II of the EEP, the objective of which was to\n    identify a software tool to encrypt removable storage devices that connect to a computer\n    (such as USB drives). Phase II was scheduled to be implemented on January 25, 2008.\n\n\xe2\x80\xa2   Phase III of the EEP was scheduled to begin in January 2008 and entailed identifying an\n    encryption solution for PDA devices. At the time of our draft report issuance, the completion\n    date for Phase III had not been determined.\n\nWe concluded that manual data encryption methods could not ensure that all sensitive data stored\non FDIC-provided mobile computers, storage devices, and PDAs was encrypted because these\nmethods are prone to human errors and omissions. We reported that until the EEP is completed,\nsensitive data stored on FDIC IT equipment would be more vulnerable to unauthorized access if\nthe media was lost or stolen.\n\nDIT provided updated milestone information for the EEP project in November 2007. The FDIC\ncompleted Phase I encryption of all corporate laptops in November 2007. Regarding Phase II,\nencryption of removable media, DIT provided a project plan with detailed milestones which\n\n7\n EFS only encrypts files stored on internal hard drives and cannot encrypt files stored on CD/DVD or USB storage\ndevices. Users can encrypt files on DVDs and CDs using Entrust or PKZip\n\n                                                       15\n\x0cestimated completion of the encryption for USB drives in January 2008 and CDs by March 2008.\nRegarding Phase III encryption of PDA devices, DIT implemented a pilot in late November and\nanticipated full implementation of PDA encryption by the end of December 2007.\n\nTwo-Factor Authentication for Remote Access\n\nOMB M-06-16 recommends that agencies allow remote access only with two-factor authentication\nwhere one of the factors is provided by a device separate from the computer gaining access.\n\nKPMG tested all four of the FDIC\xe2\x80\x99s remote access methods, Ascend Dial-in, RCN, FastAccess\xc2\xae, and\nWebVPN, and found that the four access methods meet the two-factor authentication requirement set\nforth in M-06-16. Remote access users are required to enter their network user identification and\naccompany it with their network password, a one-time key generated by a Safeword\xc2\xae authenticator\ntoken, and a 4-digit user-selected PIN before being granted access to the FDIC network.\n\nTime-Out Function Requiring User Re-authentication After 30 Minutes of Inactivity\n\nNIST Special Publication 800-53, Rev. 1, Recommended Security Controls for Federal Information\nSystems (NIST 800-53), requires that the information system automatically terminates a remote\nsession after a maximum of 30 minutes of inactivity for remote access and portable solutions.\n\nKPMG tested the time-out function for all four of the FDIC\xe2\x80\x99s remote access methods. The\ntesting showed that the FDIC has instituted several functional time-out configurations for its four\nremote access methods that will automatically time out or disconnect the user after 30 minutes of\ninactivity. However, as shown in Table 2, several situations exist where remote connections are\nnot successfully timed out after 30 minutes of inactivity as required by M-06-16.\n\n\n\n\n                                                16\n\x0cTable 2: Time-out Function Test Results\n   Remote                               Inactivity                              Max Session\n                   Remote Access\n    Access                              Time-Out (30                            Time-Out (180\n                     Methods\n   Solution                             Minutes) Test                           Minutes)Test\n                                        Outlook Closed        Outlook Open      Outlook Closed        Outlook Open\n                  This method is\n  Ascend Dial- available for use\n                                              Failed               Failed             Passed              Passed\n       in         on FDIC laptops\n                  only.\n                  RCN is intended\n                  for use with home\n     RCN                                     Passeda               Passeda            Passeda            Passeda\n                  computers or\n                  FDIC laptops.\n                               \xc2\xae\n                  FastAccess is\n                  intended for use\n             \xc2\xae\n  FastAccess      with home                  Passeda               Faileda            Passeda            Passeda\n                  computers or\n                  FDIC laptops.\n                  WebVPN is\n                  available for use\n   WebVPN                                     Failed               Failed             Passed              Passed\n                  on FDIC laptops\n                  only.\nSource: KPMG Evaluation Results. Test conducted from July 18 through 25, 2007.\n                                                                                                       \xc2\xae\nNote: Access to the network through all remote access solutions is facilitated by the use of a Safeword\nauthenticator token (two-factor authentication). All four remote access solutions are configured to time out after 30\nminutes of user inactivity or after 180 minutes regardless of activity.\na\n  Same result when tested on personally-owned PC.\n\n\nThe FDIC is experiencing technical difficulties in implementing the 30 minute time-out configurations\nfor Ascend Dial-in, FastAccess\xc2\xae, and WebVPN. Specifically, the network is not able to discern\nbetween actual user activity and background software services running on the computer such as\nantivirus and personal firewall computer processes.\n\nAbandoned remote access connection sessions that do not properly time out after a period of user\ninactivity may be accessed by unauthorized users to gain access to sensitive agency data. As a\ncompensating control, DIT has implemented a 15-minute password-protected screensaver on all FDIC\ncomputers. Testing revealed that FastAccess\xc2\xae failed to time out after 30 minutes of inactivity on a\nnon-FDIC computer with an open session of Microsoft Outlook for e-mail service.\n\nLogging Data Extracts and Erasing Extracts After 90 Days\n\nOMB Memorandum M-06-16 recommends that agencies \xe2\x80\x9clog all computer-readable data\nextracts from databases holding sensitive information and verify each extract including sensitive\ndata has been erased within 90 days or its use is still required.\xe2\x80\x9d In addition, NIST 800-53\nrequires that organizations increase the level of audit monitoring and analysis activity within the\ninformation system whenever there is an indication of increased risk to organizational operations\n[or] organizational assets. Organizations are to employ automated mechanisms to integrate audit\n\n\n\n                                                         17\n\x0cmonitoring, analysis, and reporting into an overall process for investigation and response to\nsuspicious activities.\n\nThe FDIC has not implemented a solution to automatically log all computer-readable data\nextracts from databases holding sensitive information and confirm its subsequent deletion within\n90 days for data that is no longer needed. The FDIC is currently researching potential software\nsolutions that will satisfy this M-06-16 requirement. Although DIT has initiated an effort to\nidentify a data extract logging software solution that meets the technical and functional\nrequirements for logging sensitive data extracts, DIT indicated that the commercial software\nmarket has not developed a suitable product to meet the FDIC\xe2\x80\x99s needs. DIT also indicated that\nthis requirement is proving to be a challenge for most federal agencies.\n\nWith respect to extraction of sensitive data, if such activity is not logged, monitored, and its deletion\nconfirmed after 90 days following its extraction, the extracted sensitive data could be vulnerable to\nunauthorized electronic copying and sending by individuals with malicious intent. In addition, RCN\nand FastAccess\xc2\xae could allow users to store sensitive information unencrypted on home computers that\nare vulnerable to unauthorized access.\n\nThrough discussions and limited testing, KPMG determined that as a compensating control, the\nFDIC\xe2\x80\x99s Enterprise Information Management (EIM) group is restricting the ability to copy\nproduction data to non-production environments by implementing a set of procedures for data\nrequests. EIM has also published policy limiting access of production data for testing, quality\ncontrol, and deployment preparation purposes to 45 days, at which point, access to the data is\nautomatically removed.\n\nIdentifying Sensitive Information to be Used When Teleworking\n\nIn addition to KPMG\xe2\x80\x99s work on IT security, we determined that divisions and offices had not\ndeveloped specific guidance identifying sensitive information related to their respective activities\nand operations that may not be appropriate for telework. Instead, the divisions and offices were\nrelying on corporate-wide information security guidance. To better ensure that sensitive\ninformation is properly safeguarded when employees are teleworking, requests to telework\nshould identify the data that will be used and its source, and that information should be\nconsidered in making decisions to approve or disapprove requests.\n\nThe FDIC has issued extensive guidance related to information security, for example:\n\n    h   FDIC Circular 1300.4 \xe2\x80\x93 Acceptable Use Policy for Information Technology Resources\n    h   FDIC Circular 1310.3 \xe2\x80\x93 Technology Security Risk Management Program\n    h   FDIC Circular 1310.5 \xe2\x80\x93 Encryption and Digital Signature for Electronic Mail\n    h   FDIC Circular 1360.1 \xe2\x80\x93 Automated Information Systems (AIS) Security Policy\n    h   FDIC Circular 1360.9 \xe2\x80\x93 Protecting Sensitive Information\n\nFDIC Form 2121/05, Employee/Supervisor Telework Program Agreement, states that applicable\npolicies and directives related to equipment and information security, such as those mentioned\nabove, apply to the telework program. Further, Form 2121/05 cautions that employees may be\nheld responsible for security breaches or equipment damage due to negligence. Circular 2121.5,\n\n                                                   18\n\x0cFDIC Telework Program, Section 7. Paragraph d., states that employees must comply with all\nsecurity and record keeping measures outlined in established policies and directives. Further, the\nCircular states that all FDIC records and data shall be protected against unauthorized disclosure,\naccess, mutilation, obliteration, and destruction.\n\nWe contacted representatives of nine divisions and offices to determine if any had issued\nsupplemental guidance specifically identifying data that should not be removed from the FDIC\nand used during telework sessions. Representatives of the five divisions and offices that\nresponded indicated that they had not issued such guidance and were relying on existing\ncorporate-wide guidance related to data security or encryption.\n\nWhile DSC had not issued specific guidance related to data used during telework sessions, we\nnoted that DSC had issued a memorandum dated August 15, 2006, entitled, Safeguarding\nExamination Information (Transmittal No. 2006-025), which states that examination information\nis broadly defined as all documentation involved in a bank examination. It includes the Report\nof Examination, examination work papers, and bank information received during the\nexamination process. Attachment A of the memorandum states that the protection of\nexamination information will require technical, physical, and administrative safeguards. The\nattachment states, for example, that all examination information stored on laptops, retained on\nCDs, DVDs, flash drives, or any other storage media shall be encrypted. Finally, the attachment\nstates that staff on travel status or telework status must ensure confidential information is secure\nwhen unattended.\n\nWe also noted that DRR had issued guidance entitled, DRR\xe2\x80\x99s Guidelines for Protecting Sensitive\nData, to help its employees and contractors better understand how to protect sensitive\ninformation. The guidelines describe: the types of data, when combined, which can be deemed\nas sensitive; responsibilities and methods for protecting sensitive information; and DRR systems\nthat contain sensitive information.\n\nConclusion\n\nThe security goal of all federal agencies is to minimize the chance that unauthorized access to\ntheir network will occur. The FDIC continues to make progress in complying with OMB M-06-\n16 by identifying and resolving security weaknesses related to telework and remote access.\nSome risks remain associated with providing employees remote access to the FDIC\xe2\x80\x99s network\nand information systems. We are mindful in making recommendations as the FDIC faces similar\nchallenges securing its information systems as do other agencies and must strike a balance\nbetween business needs, risk, and cost.\n\nRecommendations\n\nWe recommend the Director, Division of Information Technology:\n\n   6. Pursue improvements in security controls associated with telework, when deemed cost\n      effective, in the following areas:\n\n\n\n\n                                                19\n\x0c        h Continuing to work toward an enterprise-wide automated encryption solution for data\n          stored on laptops, removable USB devices, and Personal Digital Assistants.\n\n        h Working to resolve technical issues that prevent FastAccess\xc2\xae with an open Outlook\n          session from timing out after 30 minutes of inactivity in order to be consistent with\n          the user re-authentication requirement of OMB Memorandum 06-16.\n\n        h Restricting user capability to extract and store sensitive data on non-FDIC computers\n          while using RCN or FastAccess\xc2\xae.\n\nWe recommend the Director, Division of Administration:\n\n    7. Modify the FDIC Form 2121.5, Employee/Supervisor Telework Program Agreement, for\n       regular or recurring telework situations to include identifying any sensitive data that may be\n       used during telework and its source in order to assist management in making the decision to\n       approve or disapprove a telework request.\n\n\nOTHER MATTERS\n\nINFLUENZA PANDEMIC PREPAREDNESS PLANNING\n\nThe Corporation\xe2\x80\x99s task force formed in February 2006 to develop the PIPP has neither completed\nthe plan that will provide guidance for handling a pandemic event, nor has it set a target date for\nits completion.\n\nTo address the pandemic issue, the FDIC created a task force led by the Assistant Director,\nFacilities Operations Section. The task force is assigned to address the challenges of the\npandemic influenza and to develop a PIPP that specifically includes preventive hygiene; social\ndistancing or telework; and limiting movement in accordance with OPM\xe2\x80\x99s A Guide to Telework\nin the Federal Government. The PIPP is to be incorporated as an addendum to the FDIC\nEmergency Preparedness Plan.\n\nAccording to task force members, the task force has:\n\n        h Drafted a \xe2\x80\x9cDecision Point\xe2\x80\x9d memorandum to the Human Resources Committee that\n          the Assistant Director, Facilities Operations Section, expects to finalize by the end of\n          September or early October;\n        h Conducted demonstrations of the Department of Treasury Web-based Pandemic Flu\n          awareness-level training;\n        h Held discussions regarding a draft Pandemic Flu Plan;\n        h Participated in the Financial Banking Information Infrastructure Committee\xe2\x80\x99s\n          pandemic flu table-top exercise. 8\n\n\n8\n The FBIIC and the Financial Services Sector Coordinating Council were responsible for conducting a pandemic flu\nexercise for the financial services sector in the United States from September 24 through October 12, 2007.\n\n                                                      20\n\x0cThe Assistant Director confirmed that telework is the cornerstone of the FDIC\xe2\x80\x99s pandemic plan;\nhowever, he added that there are many telework-related issues that must be addressed before the\nPIPP is completed and implemented. For example, task force members are conducting\ndiscussions with FDIC management and union representatives to:\n\n       h Clarify Information Technology (IT) limitations and constraints, which include\n         determining whether all employees can successfully activate their Safeword\xc2\xae\n         authenticator tokens,\n       h Establish laptops in reserve for teleworkers,\n       h Ensure the FDIC population is telework-ready, and\n       h Determine how employees will be paid in a pandemic scenario.\n\nWhile some progress has been made in developing the PIPP, additional management attention to\nthe project may be beneficial to expediting its completion. Completing the PIPP and training\nFDIC managers and employees on its implementation will provide greater assurance that the\nFDIC can remain fully functional during a pandemic event.\n\nRecommendation\n\nWe recommend the Director, Division of Administration:\n\n   8. Establish milestones for completing the FDIC\xe2\x80\x99s Pandemic Influenza Preparedness Plan\n      and its incorporation, as an addendum, to the FDIC Emergency Preparedness Program.\n\n\nSUBMISSION OF TELEWORK AGREEMENTS AND HOME SAFETY SELF-\nCERTIFICATIONS\n\nThe FDIC may be able to more efficiently administer the telework program. Specifically, the\nCorporation should pursue having employees participating in the FDIC telework program submit\ntheir Employee/Supervisor Telework Agreement (FDIC 2121/05) and their Home Safety Self-\nCertification (FDIC 2121/04) forms for approval and filing in an electronic format rather than in\nhard copy as currently required.\n\nThe FDIC has incorporated guidance from A Guide to Telework in the Federal Government\nregarding telework agreements and home safety self-certification into its Circular 2121.1 FDIC\nTelework Program. Section 5, Program Guidelines, of Circular 2121.1, states that supervisors\nmust maintain a current form FDIC 2121/05 and form FDIC 2121/04. The supervisor is required\nto review these forms and keep a copy of each for their records. The Employee/Supervisor\nTelework Program Agreement provides needed contact information and outlines rights,\nresponsibilities, and general program provisions. Section 8, Responsibilities, states that\nemployees must update these documents annually or as otherwise required. Both forms are\ncurrently available electronically on the FDIC Intranet.\n\nAt our request, the FDIC\xe2\x80\x99s Legal Division reviewed the requirement for employees to submit\nFDIC 2121/05 and FDIC 2121/04. The Legal Division concluded that the requirement stems\nfrom negotiated provisions in the national Collective Bargaining Agreement (CBA) between the\n\n                                               21\n\x0cFDIC and National Treasury Employees Union (NTEU), which states that both forms must be\ncurrent and updated by January 31 of every calendar year.\n\nFurther, the FDIC\xe2\x80\x99s Legal Division stated that both the negotiated national CBA between the\nNTEU and the FDIC (at section 4E) and Circular 2121.1 (at section 8b), which was also\nnegotiated with NTEU, require that employees participating in the FDIC telework program\nsubmit form 2121/04. This form is required to ensure that an employee\xe2\x80\x99s alternative work site\ncomplies with general safety standards and because an employee will be compensated under the\nFederal Employees Compensation Act if injured while actually performing official duties at the\nalternate work site.\n\nAs a result of its review, the Legal Division concluded that new requirements for electronic\nsubmission of forms 2121/05 and 2121/04 would be subject to negotiations with NTEU.\n\nRecommendation\n\nWe recommend the Director, Division of Administration:\n\n   9. Evaluate the cost/benefit of employees electronically submitting forms 2121/05 and\n      2121/04, and if deemed cost-beneficial, negotiate with the NTEU to institute electronic\n      submission and approval of the forms.\n\n\n\n\n                                               22\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nThe DOA and DIT Directors provided a written response, dated November 29, 2007, to a draft of\nthis report. The response is presented in its entirety in Appendix II. Management concurred\nwith recommendations 1, 2, 3, 7, and 8, concurred with the intent of recommendation 4, and\npartially agreed with recommendations 5 and 6. Management did not agree with\nrecommendation 9, but offered a reasonable explanation for not taking action on the\nrecommendation at this time. A discussion of management\xe2\x80\x99s response to recommendations 5, 6,\nand 9 follows:\n\nRecommendation 5: Implement periodic testing of equipment, technology, and technical\nsupport associated with large numbers of employees concurrently teleworking in an\nemergency situation and require individuals expected to telework in an emergency\nsituation to periodically telework under non-emergency circumstances.\n\nDOA deferred to DIT on this recommendation. DIT partially agreed with this recommendation\nand proposed an alternative action. DIT noted there is no requirement to support a large number\nof users to telework in an emergency. However, DIT agreed to stress test RCN, which is the\nmost heavily used remote access method, to enhance the current engineering estimates of the\nprojected number of users that can be supported on this technology.\n\nDIT also noted that FDIC employees and contractors routinely use remote access tools to log\ninto the FDIC network and that current usage results in thousands of remote connection sessions\neach month to the FDIC\xe2\x80\x99s network and systems, providing evidence that employees are capable\nof remotely accessing the network.\n\nWe accept DIT\xe2\x80\x99s alternative action to this recommendation; however, we continue to believe that\nit would be prudent to periodically require employees to practice telework under simulated\nemergency conditions. Doing so would also be consistent with FEMA and OPM guidance.\n\nRecommendation 6: Pursue improvements in security controls associated with telework,\nwhen deemed cost effective, in the following areas:\n\n       h Continuing to work toward an enterprise-wide automated encryption solution\n         for data stored on laptops, removable USB devices, and Personal Digital\n         Assistants.\n\n       h Working to resolve technical issues that prevent FastAccess\xc2\xae with an open\n         Outlook session from timing out after 30 minutes of inactivity in order to be\n         consistent with the user re-authentication requirement of OMB Memorandum\n         06-16.\n\n       h Restricting user capability to extract and store sensitive data on non-FDIC\n         computers while using RCN or FastAccess\xc2\xae.\n\nDIT provided updated milestone information for the EEP project in November 2007. The FDIC\ncompleted Phase I encryption of all corporate laptops in November 2007. Regarding Phase II,\n\n                                              23\n\x0cencryption of removable media, DIT provided a project plan with detailed milestones, which\nestimated completion of the encryption for USB drives in January 2008 and CDs by March 2008.\nRegarding Phase III encryption of PDA devices, DIT implemented a pilot in late November and\nanticipated full implementation of PDA encryption by the end of December 2007. This\nadditional information is sufficient to address and close this portion of the recommendation.\n\nDIT partially agreed with Bullet 2 above, regarding time-out of network sessions. DIT\nrepresentatives were unaware of any technical solution that would prevent Outlook Web access\nfrom remaining open beyond the 30 minute time-out window when new email traffic is sent to\nthe client by the exchange server. DIT agreed to complete an Acceptance of Risk memorandum\nby November 30, 2007 for this situation.\n\nDIT partially agreed with Bullet 3 above, regarding logging data extracts and restricting\ndownloads to non-FDIC computers. However, DIT representatives indicated that there is no tool\nin the current market place that will log data extracts and erase them after 90 days. DIT has\nimplemented compensating controls to mitigate these risks. Further, DIT agreed to continue to\nlook for and evaluate new solutions should they become available. The OIG considers DIT\xe2\x80\x99s\nresponse sufficient to resolve the recommendation.\n\nRegarding restricting downloads to non-FDIC computers, DIT indicated that this is a risk for\nRCN, but not for Fast Access\xc2\xae. DIT is not aware of a solution to this situation, short of\nprohibiting access to the data, which DIT does not view as a viable business solution. DIT has\nmade a business decision to accept this risk, and DIT has again agreed to complete an\nAcceptance of Risk memorandum by November 30, 2007.\n\nThe OIG considers the first portion of this recommendation (encryption) closed. The remaining\nportions of this recommendation (system time-out and logging of extracts/downloads of sensitive\ndata) are resolved, but will remain open pending receipt of DIT Acceptance of Risk memoranda.\n\nRecommendation 9: Evaluate the cost/benefit of employees electronically submitting forms\n2121/05 and 2121/04, and if deemed cost-beneficial, negotiate with the NTEU to institute\nelectronic submission and approval of the forms.\n\nDOA did not agree with this recommendation. DOA indicated that the cost of the evaluation\nmay exceed any savings derived from filing forms 2121/05 and 2121/04 electronically. DOA\ndescribed the volume of paper generated through annual submissions as de minimis.\n\nDOA also stated that, in the future, if such changes are to be determined to be in the\nCorporation\xe2\x80\x99s interest, they could be included as an agency proposal to be bargained over with\nNTEU when the national Collective Bargaining Agreement is next renegotiated. We accept\nmanagement\xe2\x80\x99s decision on this recommendation, and we consider the recommendation closed.\n\n\n\n\n                                               24\n\x0c                                                                                       APPENDIX I\n\n\n                       OBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to assess the extent to which the Corporation has established and implemented\na telework program that is consistent with applicable federal standards and guidelines and\nrecognized best practices. Prior to the start of our fieldwork, we met with senior officials of DIT,\nDOA, and OERM to ensure that our objectives and approach would result in information that\naddressed their needs and concerns.\n\nEvaluation Methodology\n\nTo accomplish our objective, we became familiar with the FDIC\xe2\x80\x99s corporate policies and\nprocedures applicable to the FDIC\xe2\x80\x99s telework program, including the FDIC BCP, which contains\na BCP for each FDIC division and office and the Emergency Response Plan. Both documents\nare dated January 2007. We reviewed the FDIC\xe2\x80\x99s internal telework-related circulars, including\nthe following:\n\nh FDIC Circular 2121.1, dated May 2003, entitled, FDIC Telework Program. This circular\n  establishes policy and issues guidance on the FDIC Telework Program within the FDIC.\nh FDIC Circular 1380.3, dated April 1999, entitled, Laptop Computer Assignments,\n  Safeguards, and Asset Management. This circular provides guidance on monitoring the\n  movement of laptops within and outside of FDIC facilities.\nh FDIC Circular 1360.9, dated April 2007, entitled, Protecting Sensitive Information. This\n  circular establishes policy on protecting sensitive information collected and maintained by\n  the Corporation and provides guidance for safeguarding the information.\nh FDIC Circular 1500.5, dated January 2007, entitled, FDIC Emergency Preparedness\n  Program. This circular provides guidance on responsibilities and guidelines for ensuring the\n  safety and security of all FDIC personnel and the efficient resumption of the FDIC\xe2\x80\x99s critical\n  business processes during an emergency.\n\nAdditionally, we compared and evaluated FDIC policy and program elements against applicable\ngovernment-wide guidance from OPM, GSA, OMB, and FEMA as follows:\n\nh Office of Personnel Management: OPM-II-A entitled, A Guide to Telework in the Federal\n  Government, dated August 2006.\nh General Services Administration: Federal Management Regulations (FMR) Bulletin 2007-\n  B1 entitled, Information Technology and Telecommunication Guidelines for Federal\n  Telework and Other Alternative Workplace Arrangement Programs, dated March 2007.\nh Office of Management and Budget: OMB Memorandum M-06-16 entitled, Protection of\n  Sensitive Agency Information, dated June 2006.\nh FEMA, Federal Preparedness Circular (FPC) 65 entitled, Federal Executive Branch\n  Continuity of Operations, dated June 2004.\n\nWe also reviewed relevant GAO reports and testimony.\n\n\n\n\n                                                25\n\x0c                                                                                    APPENDIX I\n\nOn our behalf, KPMG reviewed:\n\nh The National Institute of Standards and Technology, Special Publication 800-53 Rev. 1,\n  Recommended Security Controls for Federal Information Systems, dated December 2006.\nh FMR Bulletin 2007 B-1, Information Technology and Telecommunications Guidelines for\n  Federal Telework and Other Alternative Workplace Arrangement Programs, dated February\n  2007.\n\nFurther, KPMG:\n\nh Evaluated the FDIC\xe2\x80\x99s four methods of remote access,\nh Interviewed program officials about the status of initiatives intended to identify methods of\n  automated encryption of sensitive information stored on mobile computers and devices,\nh Verified that the time-out function for the remote access methods functioned properly, and\nh Assessed the FDIC\xe2\x80\x99s progress for logging data extractions and erasing them when no longer\n  needed.\n\nTo identify \xe2\x80\x9cBest Practices\xe2\x80\x9d we reviewed guidance from 13 government agencies that included:\nthe U.S Departments of Agriculture, Defense, Education, Energy, Homeland Security, Housing\nand Urban Development, Interior, Justice, Labor, State, Treasury, and the GSA, and the\nSecurities and Exchange Commission. We also contacted the National Credit Union\nAdministration and the Office of the Comptroller of the Currency to determine if their examiners\nwere reported as teleworkers. We interviewed DOA\xe2\x80\x99s program officials about the status of the\ntelework program, including the types of telework programs, participation levels by selected\ndivisions and offices, and participation levels by grade.\n\nWe surveyed OERM, CU, DIR, DIT, DOA, DOF, DRR, DSC, and the Legal Division to\ndetermine if evaluations of the telework program had been conducted in their respective\ndivisions and offices. All of the divisions and offices responded to our inquiry. We also\nsurveyed the same divisions and offices to determine if they had issued supplemental guidance\nspecifically identifying data that should not be removed from the FDIC and used during telework\nsessions. Five (DIR, DIT, DRR, DSC, and OERM) responded to this inquiry. We did not\ninterview selected FDIC managers responsible for approving telework requests to understand\nwhat types of duties employees are performing while on telework. Neither did we interview\nmanagers to determine how they monitored employees\xe2\x80\x99 use of telework once we determined that\nneither DOA program officials nor the divisions and offices we surveyed had conducted an\nevaluation of the telework program. Additionally, we performed the following:\n\nh Reviewed OPM telework reporting and verified the FDIC\xe2\x80\x99s compliance. We also\n  interviewed OPM\xe2\x80\x99s Lead WorkLife Program Specialist to obtain clarification of OPM\n  guidance regarding reporting of telework statistics;\nh Performed analysis of telework participation information to identify trends and usage among\n  divisions and offices. Furthermore, we evaluated the efficiency of the FDIC\xe2\x80\x99s use and\n  management of telework program documentation;\n\n\n\n\n                                               26\n\x0c                                                                                   APPENDIX I\n\n\nh Assessed the FDIC\xe2\x80\x99s guidance on the types of applications that can be accessed and security\n  category of information that can be processed, stored, and transmitted while teleworking and\n  the FDIC\xe2\x80\x99s efforts to ensure information security at employees\xe2\x80\x99 telework locations; and\nh Assessed the FDIC\xe2\x80\x99s policy and practices on providing equipment and infrastructure,\n  including phone lines and information technology equipment to teleworkers.\n\nWe attended \xe2\x80\x9cTelework Made Easy\xe2\x80\x9d sponsored by the Mid-Atlantic Telework Advisory Council,\nwhich included a panel of experts from Microsoft, Dyscern, and the GSA who discussed how\ntheir organizations implemented an expansion of their telework efforts. Finally, we attended a\nhearing of the United State Senate Subcommittee on Oversight of Government Management,\n\xe2\x80\x9cAssessing Telework Policies and Initiatives in the Federal Government,\xe2\x80\x9d which discussed new\nlegislation, the Telework Enhancement Act of 2007 - S. 1000.\n\nWe performed our evaluation from June 2007 through September 2007, in accordance with the\nQuality Standards for Inspections.\n\n\n\n\n                                              27\n\x0c                       APPENDIX II\n\n\nCORPORATION COMMENTS\n\n\n\n\n          28\n\x0c     APPENDIX II\n\n\n\n\n29\n\x0c     APPENDIX II\n\n\n\n\n30\n\x0c     APPENDIX II\n\n\n\n\n31\n\x0c     APPENDIX II\n\n\n\n\n32\n\x0c     APPENDIX II\n\n\n\n\n33\n\x0c                                                                                                                               APPENDIX III\n\n                                      MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\n\nThis table presents the management response on the recommendations in our report and the status of the recommendations as of\nthe date of report issuance.\n\n Rec.                                                                           Expected         Monetary   Resolved:a          Open or\nNumber            Corrective Action: Taken or Planned/Status                 Completion Date     Benefits   Yes or No           Closedb\n\n    1      Management concurred with the recommendation. DOA                  March 31, 2008        $0         Yes               Open\n           proposed a set of assumptions for collecting more reliable data\n           from CHRIS T&A and agreed to develop a new reporting\n           format for collecting telework participant statistics.\n                                                                             December 31, 2007\n           In addition management agreed to request all time keepers to\n           remind employees to properly code all telework.\n\n    2      Management concurred with the recommendation. DOA plans           October 31, 2008       $0         Yes               Open\n           to define telework program goals and objectives that will\n           allow for meaningful program evaluations for specific\n           telework areas. The definitions will provide a framework for\n           an evaluation tool designed to assess the progress of the\n           FDIC\xe2\x80\x99s telework program, identify problems and issues, and\n           provide for appropriate adjustments and improvements.\n\n    3      Management concurred with the recommendation and is                January 31, 2008      $0         Yes               Open\n           currently revising the BCP to fully describe the role telework\n           plays in all contingencies, including pandemic events.\n\n    4      Management concurred with the intent of this                       January 31, 2008      $0         Yes               Open\n           recommendation and as part of the BCP revalidation process,\n           will have divisions identify personnel expected to telework\n           during an emergency.\n\n\n\n\n                                                                        34\n\x0c                                                                                                                         APPENDIX III\n\n Rec.                                                                           Expected         Monetary   Resolved:a    Open or\nNumber          Corrective Action: Taken or Planned/Status                   Completion Date     Benefits   Yes or No     Closedb\n\n  5      Management partially concurred with the recommendation.              March 15, 2008        $0         Yes         Open\n         DIT stated that there is no requirement to support a large\n         number of users to telework in an emergency. As an\n         alternative to the recommendation, DIT agreed to stress test\n         RCN, which is the most heavily used remote access method.\n\n         DIT also noted that current remote usage results in thousands\n         of remote connection sessions each month that evidences\n         employees\xe2\x80\x99 ability to work remotely.\n\n         We accept management\xe2\x80\x99s proposal as a method to enhance the\n         current engineering estimates of the projected number of users\n         that can be supported on the FDIC\xe2\x80\x99s current technology.\n\n  6      Management considers the 1st bullet, associated with                      N/A              $0         Yes         Open\n         enterprise-wide encryption, resolved. DIT recently completed\n         phase 1 of the automated enterprise-wide encryption solution\n         with the installation of encryption software on new corporate\n         laptops. DIT also provided or discussed with OIG the flash\n         drive encryption project plan and the Request for Information\n         for BlackBerry encryptions. DIT plans no further action on\n         this portion of the recommendation.\n\n         Management partially concurred with the 2nd bullet, associated      November 30, 2007      $0\n         with system time-out issues. DIT agreed that when using\n         FastAccess, Outlook web access remains open and does not\n         time out if the exchange server sends out new email traffic\n         within the 30-minute FDIC time-out window. However, the\n         session does have a fixed maximum time-out at 180 minutes\n         that partially mitigates this risk. DIT knows of no acceptable\n         business solution and will therefore complete an Acceptance\n         of Risk memorandum.\n\n\n\n\n                                                                        35\n\x0c                                                                                                                         APPENDIX III\n\n Rec.                                                                           Expected         Monetary   Resolved:a    Open or\nNumber           Corrective Action: Taken or Planned/Status                  Completion Date     Benefits   Yes or No     Closedb\n         Management partially concurred with the 3rd bullet, associated           N/A              $0\n         with logging data extracts and storing sensitive data on\n         non-FDIC computers. DIT has concluded that there is no tool\n         in the current market place that will log data extracts and erase\n         them after 90 days. DIT has compensating controls designed\n         to mitigate the risks. DIT has agreed to continue to look for\n         and evaluate new solutions should they become available. The\n         OIG considers this portion of the 3rd bullet closed.\n\n         Regarding the second part of the 3rd bullet, DIT agreed that        November 30, 2007      $0\n         RCN does provide the capability to download data to a user\xe2\x80\x99s\n         PC. However DIT is unaware of a viable business solution.\n         DIT has made a business decision to accept this risk and DIT\n         has agreed to complete an Acceptance of Risk memorandum.\n\n         The OIG considers the first portion of this recommendation\n         (encryption) closed. The remaining portions of this\n         recommendation (system time-out and logging of\n         extracts/downloads of sensitive data) will remain open\n         pending receipt of DIT Acceptance of Risk memoranda. For\n         tracking purposes, we will consider the overall\n         recommendation to be open.\n\n         Management concurred with the recommendation. Subject to\n  7      NTEU negotiations, DOA will update form 2121.5 to require            March 31, 2008        $0         Yes         Open\n         the teleworker to identify any sensitive data that will be used\n         during telework.\n\n\n\n\n                                                                        36\n\x0c                                                                                                                                               APPENDIX III\n\n Rec.                                                                                   Expected            Monetary        Resolved:a          Open or\nNumber               Corrective Action: Taken or Planned/Status                      Completion Date        Benefits        Yes or No           Closedb\n              Management concurred with the recommendation. The\n      8       Pandemic Influenza Task Force has drafted a \xe2\x80\x9cDecision                    April 30, 2008           $0              Yes               Open\n              Points\xe2\x80\x9d memorandum outlining key issues impacting the\n              FDIC\xe2\x80\x99s operations and personnel and submitted the\n              memorandum to the Human Resources Committee for review.\n              HRC review of the memorandum is a precondition of the Task\n              Force\xe2\x80\x99s finalization of the draft Pandemic Influenza\n              Preparedness Plan.\n\n      9       Management did not concur with this recommendation. DOA\n              indicated that the time and effort necessary to evaluate the                  N/A                 $0              Yes              Closed\n              cost/benefit of employees electronically submitting forms\n              2121/05 and 2121/04 may not offset the proposed benefits.\n              We accept management\xe2\x80\x99s decision to not take action on this\n              recommendation.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n              (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n              (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                  as management provides an amount.\nb\n    Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\n\n\n\n                                                                               37\n\x0c'